In a cryptographic construct known as a ring signature, a signature is produced by one member in a set or “ring” of possible signers without revealing to the verifier which member actually produced the signature. More specifically, a ring signature allows a user to choose any set of possible signers that includes himself, and to sign a message by using his secret key and the public keys of the other members of the set, without getting their approval or assistance. A ring signature is therefore distinct from a standard group signature, in that a group signature generally requires the prior cooperation of the members of the set and also leaves each member vulnerable to later identification by a group manager.
Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination among the members. The verifier only needs to know the public keys of the ring members in order to verify the ring signature. Furthermore, ring signatures can be constructed using simple computations, e.g., AES-Hash computations combined with a trap-door permutation such as RSA encryption. For additional details, see Ronald L. Rivest, Adi Shamir and Yael Tauman, “How to Leak a Secret,” Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances In Cryptology, pp. 554-567, Springer-Verlag, June 2001, which is incorporated by reference herein.
As indicated above, ring signatures are privacy-preserving constructs, in that neither the verifier nor any other entity reading the ring signature can determine which member of the set of possible signers actually signed the message. However, there remains a need for improvements in privacy management relating to ring signatures and similar cryptographic constructs. For example, the members of the set of possible signers of a ring signature generally want the highest possible level of privacy, which may conflict with the legitimate goal of the verifier to perform certain analytics that provide value to the verifier while also preserving the privacy of the members at a reasonable level.